console: OIDC login in console

[leedqin]

Remove these sections if your commit already has a good description!

Motivation

This PR adds OIDC authentication for self managed console. Linear issue: CNS-25

Description

For the console to handle oidc authentication, here are the changes in this PR:

• Added oidc-client-ts and react-oidc-context libraries to the console

• Created an OIDC library wrapper for oidc libary to create a shared User Manager that caches ID token and exports the id token to be consumed by api client

• Tests that mock the oidc token and functions

• Added "Oidc" to AppConfig so that oidc auth mode can be parsed from app-config.json

• Created the OidcProviderWrapper.tsx to initialize OIDC UserManager and wrap the children in AuthProvider when authmode === oidc

• In apiClient.ts, when authMode === oidc, oidc middleware will add a Authorization: Bearer <idToken> if token exists. If no token, no header is sent -- session cookie is used implicitly. If a session expires, 401 redirect would handle expired sessions

• In the websocket, getWsAuthConfig returns the ID token if available, null otherwise

• Allow "Oidc" in auth.ts for password auth to work alongside OIDC

• In the Login Box, the password auth option would also render along with "Use Single Sign on" link

Auth Flow:

User clicks "Use single sign-on"
           │
           ▼
┌──────────────────────────────────┐
│  Login.tsx: SsoLoginLink         │
│  auth.signinRedirect()           │
└──────────────┬───────────────────┘
               │
               │  oidc-client-ts:
               │  1. Generate code_verifier + code_challenge
               │  2. Store in sessionStorage
               │  3. Redirect browser
               │
               ▼
┌──────────────────────────────────┐
│  Auth0 /authorize                │
│  ?response_type=code             │
│  &client_id=jM1iDueUB3ucXyUgPbsZ│
│  &redirect_uri=.../auth/callback │
│  &scope=openid profile email     │
│  &code_challenge=<hash>          │
│  &code_challenge_method=S256     │
│  &state=<random>                 │
└──────────────┬───────────────────┘
               │
               ▼
┌──────────────────────────────────┐
│  Auth0 login page                │
│  User enters credentials / MFA   │
└──────────────┬───────────────────┘
               │
               │  Auth0 redirects:
               │  /auth/callback?code=<authz_code>&state=<random>
               │
               ▼
┌──────────────────────────────────┐
│  UnauthenticatedRoutes.tsx       │
│  OidcAuthGuard                   │
│                                  │
│  hasAuthParams() → true          │
│  (code + state in URL)           │
│  → render <LoadingScreen />      │
└──────────────┬───────────────────┘
               │
               │  AuthProvider (react-oidc-context)
               │  detects callback params, calls
               │  userManager.signinRedirectCallback()
               │
               ▼
┌──────────────────────────────────┐
│  oidc-client-ts token exchange   │
│                                  │
│  POST Auth0 /oauth/token         │
│  {                               │
│    grant_type: authorization_code│
│    code: <authz_code>            │
│    code_verifier: <from storage> │
│    redirect_uri: .../auth/callback│
│    client_id: jM1iDueUB3ucXyUgPb│
│  }                               │
│                                  │
│  Auth0 responds:                 │
│  { id_token, access_token }      │
└──────────────┬───────────────────┘
               │
               │  oidc-client-ts stores user
               │  in sessionStorage, fires
               │  userLoaded event
               │
               ▼
┌──────────────────────────────────┐
│  oidc.ts                         │
│  userLoaded callback:            │
│  cachedIdToken = user.id_token   │
└──────────────┬───────────────────┘
               │
               │  auth.isLoading → false
               │  auth.isAuthenticated → true
               │  OidcAuthGuard renders children
               │
               ▼
┌──────────────────────────────────┐
│  Authenticated Routes            │
│                                  │
│  Every API call:                 │
│  apiClient.ts oidcAuthMiddleware │
│  → getOidcIdToken() returns token│
│  → Authorization: Bearer <token> │
└──────────────────────────────────┘

Reviewing Tips

• Would recommend reviewing it by commit. First commit sets up the oidc setup in the app. Second commit focuses on making it work with password auth

Verification

SSO_console.mov

[github-actions]

Thanks for opening this PR! Here are a few tips to help make the review process smooth for everyone.

PR title guidelines

• Use imperative mood: "Fix X" not "Fixed X" or "Fixes X"
• Be specific: "Fix panic in catalog sync when controller restarts" not "Fix bug" or "Update catalog code"
• Prefix with area if helpful: compute: , storage: , adapter: , sql:

Pre-merge checklist

• The PR title is descriptive and will make sense in the git log.
• This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
• If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.
• This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
• If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
• If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).